Customers Can Supply Their Own Key Material with EKM, BYOK, and Cache-Only Keys

Customers can supply their own key material by using External Key Management (EKM), Bring Your Own Key (BYOK), or Cache-Only Keys. Each offers customers different levels of control over key material. Further, each has different setup requirements. With BYOK, customers can upload tenant secrets and data encryption keys outside of Salesforce by using their own crypto libraries, enterprise key management system, or hardware security module. With EKM and Cache-Only Keys, customers can supply their own DEKs.

If required, customer supplied key material can be uploaded once every 4 hours in sandbox orgs and every 24 hours otherwise. For more information, see Rotate Your Encryption Key Material in Salesforce Help. Key material can be destroyed declaratively or programmatically by the customer any time.

The process for generating and encrypting customer-supplied key material varies depending on whether customers use a crypto service, HSM, or key brokering service. However, all customer-supplied key material must meet the same basic requirements before it can be uploaded to Salesforce. Users need the Manage Encryption Keys permissions to upload and rotate key material and the Manage Certificates permission to manage certificates.

After they’re uploaded, customer-supplied tenant secrets work with the Salesforce key management systems just like Salesforce-generated tenant secrets. By default, when customer-supplied tenant secrets are uploaded, all subsequent data is encrypted with the key derived from the current primary secret and the new customer-supplied tenant secret. This org-specific derived data encryption key is never persisted on disk.